CS642:    Computer  Security  

Professor  Ristenpart  h9p://www.cs.wisc.edu/~rist/  rist  at  cs  dot  wisc  dot  edu  

University  of  Wisconsin  CS  642  

Web  Security  

Liberal  borrowing  from  Mitchell,  Boneh,  Stanford  CS  155    

University  of  Wisconsin  CS  642  

Web  security  part  1  

Same-­‐origin  policy  /  NavigaMon  policy  

Basic  web  security  models  

Browser  security  

Cookies  /  Session  handling  

WWW  

Tim  Berners-­‐Lee  and  Robert  Cailliau  1990    HTTP,  CERN  h9pd,  gopher  

 1993  Mosiac  web  browser  (UIUC,  Marc  Andreesen)    1994  W3C  WWW  ConsorMum  -­‐-­‐-­‐  generate  standards    

 Gopher  started  charging  licensing  fees      (Univ  of  Minnesota)  

Nowadays:  ecosystem  of  technologies  

•  HTTP  /  HTTPS  •  AJAX  •  PHP    •  Javascript  •  SQL  •  Apache  •  Ruby  •  h9p://w3schools.com/    

Threat  model  

Internet   a9acker.com  

User  

bank.com  

A   B  

network  a9acker  

Uniform  resource  locators  (URLs)  

h9p://www.tom.com:80/calendar/render.php?gsessionid=OK  

protocol  

hostname  

port  path  

query  

URL’s  only  allow  ASCII-­‐US  characters.    Encode  other  characters:    %0A  =  newline  %20  =  space  

Special  characters:  +  =  space  ?  =  separates  URL  from  parameters  %  =  special  characters  /  =  divides  directories,  subdirectories  #  =  bookmark  &  =  separator  between  parameters  

HTTP  Request  

GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats

Method File HTTP version Headers

Data – none for GET Blank line

GET  :      no  side  effect                      POST  :      possible  side  effect  

HTTP  Response  

HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>

HTTP version Status code Reason phrase Headers

Data

Cookies  

Browser  execuMon  

•  Each  window  (or  tab):  –  Retrieve/load  content  –  Render  it  

•  Process  the  HTML  •  Might  run  scripts,  fetch  more  content,  etc.  

–  Respond  to  events  •  User  acMons:  OnClick,  OnMouseover  •  Rendering:  OnLoad,  OnBeforeUnload    •  Timing:  setTimeout(),    clearTimeout()    

Document  Object  Model  (DOM)  

From  h9p://w3schools.com/htmldom/default.asp  

Object-­‐oriented  way  to  refer  to  objects  in  a  web  page  ProperMes:  document.alinkColor,  document.URL,        document.forms[  ],  document.links[  ],  document.anchors[  ]  Methods:    document.write(document.referrer)  

Document  Object  Model  (DOM)  

Object-­‐oriented  way  to  refer  to  objects  in  a  web  page  ProperMes:  document.alinkColor,  document.URL,        document.forms[  ],  document.links[  ],  document.anchors[  ]  Methods:    document.write(document.referrer)  

Browser  Object  Model  (BOM)  window,  document,  frames[],  history,  locaMon,    navigator  (type  and  version  of  browser)  

Seemingly  innocuous  features?  

•  <img  src=“bucky.jpg”  height=“50pt”  width=“50pt”>  

•  Displays  an  image  •  What  can  a9acker  do?  

Javascript  Mming  

<html><body><img  id="test"  style="display:  none">  <script>          var  test  =  document.getElementById(’test’);          var  start  =  new  Date();          test.onerror  =  funcMon()  {                      var  end  =  new  Date();                      alert("Total  Mme:  "  +  (end  -­‐  start));            }            test.src  =  "h9p://www.example.com/page.html";  </script>  </body></html>  

Behind-­‐firewall  webapp  scanning  •  JavaScript  can:  

–  Request  images  from  internal  IP  addresses  •  Example:    <img  src=“192.168.0.4:8080”/>  

–  Use  Mmeout/onError  to  determine  success/failure  –  Fingerprint  webapps  using  known  image  names  

Server  

Malicious  Web  page  

Firewall  

1)  “show  me  dancing  pigs!”  

2)  “check  this  out”  

Browser  

scan  

scan  

scan  3)  port  scan  results  

Browser  security  model  

Should  be  safe  to  visit  an  a9acker  website  

Should  be  safe  to  visit  sites    simultaneously  

Should  be  safe  to  delegate  content  

Browser  isolaMon  

Browser  is  running  untrusted  inputs  (a9acker  webpage)  

Like  all  big,  complex  soyware,  browser  has  security  vulnerabiliMes  

Browsers  include  “Rich  Internet  ApplicaMons”  (RIAs)    that  increase  a9ack  surface:  

 e.g.,  Adobe  Flash    (see  reading  for  today  by  Blazakis)  

Malicious  website  exploits  browser,  from  there  system  

Web  pages  are  not  single-­‐origin  lFrames:                  <iframe    src=“//site.com/frame.html”    >      </iframe>  

Scripts:    <script      src=“//site.com/script.js”    >    </script>  

CSS:              <link  rel="stylesheet"    type="text  /css”  href=“//site/com/theme.css"    />  

Objects    (flash):              [using        swfobject.js      script  ]    <script>              var  so  =  new  SWFObject(‘//site.com/flash.swf',  …);        so.addParam(‘allowscriptaccess',    ‘always');          so.write('flashdiv’);    </script>        

Browser  handles  mulMple  sites,  must  maintain  separate  security  contexts  for  each  

OperaMng  system  •  PrimiMves    

•  System  calls  •  Processes  •  Disks  

•  Principals:  Users  •  DiscreMonary  access  controls  

•  VulnerabiliMes  •  Buffer  overflows  •  root  exploit  •  …  

Browsers  •  PrimiMves    

•  Document  object  model  •  Frames  •  Cookies  /  local  storage  

•  Principals:  Origins  •  Mandatory  access  controls  

•  VulnerabiliMes  •  Cross-­‐site  scripMng  (XSS)  •  Cross-­‐site  request  forgery  (CSRF)  •  Cache  history  a9acks  •  …  

Same-­‐origin  policy  

•  Each  frame  of  page(s)  has  an  origin  – protocol://host:port  – Origin  is  (protocol,host,port)  

•  Frame  can  access  its  own  origin  – Network  access,  Read/write  DOM,  storage  (cookies)  

•  Frame  cannot  access  data  associated  with  another  origin  

Frame  relaMonships  

21  

Child  

Sibling  

Descendant  

Ancestor  

Frame  policies  

•  Permissive  – any  frame  can  navigate  any  other  frame  

•  Child  – only  can  navigate  if  you  are  parent  

•  Descendent  – only  can  navigate  if  you  are  ancestor  

Which  do  you  think  should  be  used?  

canScript(A,B)    and    canNavigate(A,  B)  

Browser   Policy                    IE  6  (default)   Permissive                    IE  6  (opMon)   Child                    IE7  (no  Flash)   Descendant                    IE7  (with  Flash)   Permissive                    Firefox  2   Window                    Safari  3   Permissive                    Opera  9   Window  

                 HTML  5   Child  

Legacy  Browser  Behavior  

Problems  with  permissive  

awglogin  window.open("https://attacker.com/",  "awglogin");  

frames['right'].window.locaMon=“evil.com/login.html”;  

Browser   Policy                    IE7  (no  Flash)   Descendant                    IE7  (with  Flash)   Descendant                    Firefox  3   Descendant                    Safari  3   Descendant                    Opera  9   (many  policies)                    HTML  5   Descendant  

AdopMon  of  Descendant  Policy  

UI  Redressing  (Clickjacking)  

Overlayed  frame            

Do  evil  thing()  

Defense:  NoScript  plugin  a9empts  to  prevent  this  for  Firefox  

FramebusMng  

<script  type="text/javascript">          if(top  !=  self)  top.locaMon.replace(locaMon);  </script>  

Embed  in  your  webpage  to  avoid  being  rendered    within  another  (adversarial)  frame.    Has  limitaMons.  See    "BusMng  Frame  BusMng:    a  Study  of  Clickjacking  VulnerabiliMes  on  Popular  sites”  

Cookies:  Se�ng/DeleMng  

scope

•  Delete cookie by setting “expires” to date in past •  Default scope is domain and path of setting URL •  Client can also set cookies (Javascript)

GET …

HTTP Header: Set-cookie: NAME=VALUE ;

domain = (when to send) ; path = (when to send) secure = (only send over SSL); expires = (when expires) ; HttpOnly

if  expires=NULL:  this  session  only  

Cookie  scope  rules  (domain  and  path)  

•  Say  we  are  at  www.wisc.edu  – Any  non-­‐TLD  suffix  can  be  scope:  

•  allowed:  www.wisc.edu  or  wisc.edu  •  disallowed:  www2.wisc.edu  or  ucsd.edu  

•  Path  can  be  set  to  anything  

Cookies:  reading  by  server  

•  Browser sends all cookies such that •  domain scope is suffix of url-domain

•  path is prefix of url-path

•  protocol is HTTPS if cookie marked “secure”

GET /url-domain/url-path

Cookie: name=value

Cookie  security  issues?  

•  Cookies  have  no  integrity  –  HTTPS  cookies  can  be  overwri9en  by  HTTP  cookie  (network  injecMon)  

– Malicious  clients  can  modify  cookies  •  Shopping  cart  vulnerabiliMes  

•  Scoping  rules  can  be  abused  –  blog.example.com  can  read/set  cookies  for  example.com  

•  Privacy  –  Cookies  can  be  used  to  track  you  around  the  Internet  

•  HTTP  cookies  sent  in  clear  –  Session  hijacking  

 

<script  type="text/javascript">    //<![CDATA[      var  hint      =  'mainpage';    document.write('<script  type="text/javascript"  src="h9p://ad.doubleclick.net/adj/

ostg.slashdot/pg_index_p1_leader;pg=index2;logged_in=0;Mle='+dfp_Mle+';sz=728x90;u=;ord='+dfp_ord+'?"><\/script>');  

   dfp_Mle++;    //]]>  

</script>  In  addiMon  to  ads  based  on  interest  categories,  Google  allows  adverMsers  (including  Google)  to  show  you  ads  based  on  your  previous  interacMons  online,  such  as  visits  to  adverMsers’  websites.  For  example,  someone  who  visited  the  website  of  an  online  sporMng  goods  store  can  receive  ads  about  special  offers  from  that  store.  -­‐-­‐-­‐  h9p://www.google.com/privacy/ads/  

Session  handling  and  login  GET /index.html

Set-Cookie: AnonSessID=134fds1431

POST /login.html?name=bob&pw=12345

Set-Cookie: SessID=83431Adf

Protocol  is  HTTPS.  Elsewhere  just  HTTP  

Cookie: AnonSessID=134fds1431

GET /account.html

Cookie: SessID=83431Adf

Session  Hijacking  

From  h9p://codebutler.com/firesheep  

Towards  prevenMng  hijacking  •  Use  encrypMon  when  se�ng  session  cookies  •  SessID  =  Enc(K,info)  where  :  –  K  is  server-­‐side  secret  key  –  Enc  is  Encrypt-­‐then-­‐MAC  encrypMon  scheme  –  info  contains:  

•  user  id  •  expiraMon  Mme  •  other  data  

•  Server  should  record  if  user  logs  out  •  Does  this  prevent  Firesheep  hijacking?  – No  –  include  in  data  machine-­‐specific  informaMon  –  turn  on  HTTPS  always